Have I breached GDPR already? - The Book-keepers Forum (UK)

Artois · Guru

Have I breached GDPR already?

VinceH · Expert

I think you need to sit back and think about that a bit more - or possibly explain it better in case I'm missing some subtlety!

Most sensible email clients, when you hit reply, don't include the attachment in the reply. Why would they, if you're replying to the person who sent it to you in the first place?

Artois · Guru

VinceH wrote:
I think you need to sit back and think about that a bit more - or possibly explain it better in case I'm missing some subtlety!

Most sensible email clients, when you hit reply, don't include the attachment in the reply. Why would they, if you're replying to the person who sent it to you in the first place?

Hi Vince

No you weren't missing anything just me being an idiot, but to be honest I never really thought about what was included in the reply I just thought that everything from the original message would still be attached but what you say makes perfect sense.

At least I won't have to go into hiding for a breach of GDPR

Cheers

Cheshire · Master Book-keeper

Artois wrote:

At least I won't have to go into hiding for a breach of GDPR
Cheers

Well not that one anyway! wink

My head is spinning with it all - pretty sure Im over thinking massive parts of it as well as under thinking some others.

How about a thread with dos and donts/queries/examples? (although probably as usual it will only be a few who join in, so then I think - nahhhh as its the same folk making all the effort to benefit those who dont, except we might get some as well!!)

Do you think its time you (and Shaun) changed your Avatar Vince? Its making me feel cold. Doug - yours is making me feel like going on holiday (but the dog needs to get off the surf board!)

Leger · Master Book-keeper

Hi Joanne

Despite my good intentions I left it all til the last minute. All data with personal info will go out password protected from now on, and I'm currently implementing something on my website to share documents. When I eventually build the front end of the website I will have a privacy policy (nicked from elsewhere) Also made sure laptops can't be accessed without a password. A small section added to LofE about data and I think that's all I need to do

Cheshire · Master Book-keeper

Haha, me too John. About 2 hours before midnight I sent emails out (you know, those annoying ones everyone was sending....and still are!) No consent ones as I dont do marketing, but Ive built in something to my wording for items that may be to their benefit. Gives me the opportunity to approach clients if I choose to but then they can opt out as at that point I will ask for consent.

Mine contained effectively addendums to existing docs by way of (1) revised privacy policy and (2) data processor agreements for those I act as processor as well as controller eg payroll and invoicing type clients.

I understand that some of the prof bodies have issued 'holding' type engagement letters with fully revised new ones including GDPR not due out until mid June or thereafter. This Im assuming due to the fact that GDPR Royal assent has only just been given (wasnt it 23 May?); because the old act hasnt been repealled (I think); no-one had seen the full act as final text of the legislation hadnt been released yet and that the ICO havent yet fully developed their advisory document. So in my email I said that the policy would be revised as matters were updated and that new LoEs would be issued later this summer. I suspect some clients may not want to sign a new LoE so some will just need to be an addendum anyway.

Ive not got a website so cant quote my policy on there. So I was wondering if I should have a link to it on my emails (say dropping through to dropbox link, or something better)? Or should I just add if you want a copy of my privacy policy then ask type of comment? But then do I need a general policy (slightly less specific than it is for clients....I need to re-read it!!)?

Also then wondering if I should set something up via Mailchimp (or again if this will be overkill).

Ive not yet approached all the contacts I have (clients of clients/contacts of clients/my other contacts) where I have a non general ie name@xxx.co.uk email. Should I be doing?

Just had a thought this morning after you mentioned the password protection on docs and also given a query I saw elsewhere a few days ago, but hadnt been answered.

I have a client who issues hand written invoices (high end, 2nd hand stuff, uses margin scheme). Due to the hand written nature, multiple deposits and a pile of other factors (no you will NEVER change them!) there are often queries so I generally just photocopy the page from the invoice book and email it to them. Guess I should be password protecting that as it holds client names (and sometimes phone numbers, but not much else as the ID bits are on the reverse!)?

Also - I invoice for one of my clients, just manually created (as not many) - so for her and this particular task Im a processor (like with wages). Mostly its to Limited companies, but always addressed to a personal contact but also contains personal details of folk/their clients - so I guess these should be p/w protected as well?

Plus with the above - often email to sent to say accounts@ xyz eg for credit control - thats ok, no personal names. But what if I email FredBloggs@xyz for credit control.......thats classed as a personal email....so should he have had my privacy policy doc? I understand I dont need consent (legitimate interest in my case / contract in my clients case - shame I cannot rely on the latter as the LI route is harder to document etc or can I as Im just a processor and she, ie my client, SHOULD have emailed all those folk with her controller privacy doc!)

Then I also issue invoices via a 3rd party software company for another client. So again Im a processor. I checked the status of the company (Finish based so covered under GDPR and according to their GDPR policy they MAY release data to the US but its covered under Privacy Guard, so Ive had to build that in to my wording for my client, as its my software, like Moneysoft!) Invoices - B2B but all sole traders - so personal info. The invoicing software doesnt have password protection for the invoices. Should they? Or am I now supposed to email them all outwith the software and add protection? Or this now in the realms of bloody overkill! (Again my client should have sent out a privacy policy as the controller).

I thought of a PILE of other examples the other night that raised queries, have them written down somewhere so will have to recover them once Ive recovered from my 11th hour privacy policy authorisings!

Daft thing is - there will be a big court case brought to ram it down folks throats and make an example of some company (wonder who....hmmm), then it will all be reliant on self monitoring. Apart from some member of the public with more time on their hands than they know what to do with who will go after some company and ensure they receive a big fat fine. OK to my mind if major wrongdoings, but I fear its the little man as ever who gets beaten and the real culprits, the persistent spammers who will continue as see 4% of t/o fine as just the cost of doing business!!!

Can I go back to sleep now please, my brain hurts!!!!

Artois · Guru

Cheshire wrote:

Doug - yours is making me feel like going on holiday (but the dog needs to get off the surf board!)

What happens if he cant swim?

It is a good idea for a dos and donts thread because I am still not sure, read the ICO and quite a few other articles but I don't think anyone is 100%

Like John just going to send any personal data password protected.

Now looking forward to a nice afternoon reading my Law study book

VinceH · Expert

"Do you think its time you (and Shaun) changed your Avatar Vince? Its making me feel cold."

I'm not sure if I have anything suitably amusing/quirky/whatever to suit the time of year. I'll have a look shortly to see if I can find something that I can either use outright, or tinker with slightly.

Otherwise it's back to that picture of me without any clothes on. You know the one - where it reveals that I'm actually a cyborg - a human head on a robotic body.

"How about a thread with dos and donts/queries/examples?"

It's a sensible idea - but the problem with a thread on the subject is firstly what you then go on to say, and secondly that it will get polluted with different opinions and interpretations. I might interpret things one way, John another, Shaun another again... and nobody is any the wiser. GDPR is written to be flexible in how it's applied, depending on circumstances - which means it's flexible in how it can be interpreted. Swings. Roundabouts.

Your question(s) about emailing invoices, and whether or not they should be password protected, for example. You don't have to do this but it 'might' be a good idea, depending on circumstances. It's up to you to weigh things up and decide whether you should or not.

In fact... [clickety, clickety, curse, clickety, clickety, curses again]

[The cursing is because I've just spotted some (more) brokenness on the ICO website¹]

If you visit this page:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security/

And scroll down to where it's subtitled "What level of security is required?"

You'll see it explains that GDPR doesn't specify anything - and that it's up to you to deem what is appropriate (pretty much what I said above). Given, however, that you're talking about stuff you're doing on behalf of clients, it should probably be discussed with them, and they may need to ensure their own privacy policies clearly cover this. (And their own customers may or may not object.) It's complicated and messy - but as the above page says, there's no "one size fits all."

FWIW, my own efforts as regards GDPR amount to just one thing - I wrote a 'news' post on one of my sites explaining why I haven't published a privacy policy.

On that page, under 'In brief' each subsequent section is given a link - but those links don't work because the corresponding anchor names haven't been included at the start of each section. Duh. (I looked at the source to check, in case they'd got them wrong - but they aren't there at all. Duh again.)

A bit of brokenness I'd already found is that the site doesn't sensibly degrade if your browser window is too narrow - on the front page, all the 'For organisations' titles are missing if that's the case; a too-narrow window should result in them appearing below. (The links are still there - the yellow arrows - but not the titles).

Shamus · Forum Moderator & Expert

Ok, bending to peer pressure... Squirrels it is

-- Edited by Shamus on Monday 28th of May 2018 03:48:00 PM

VinceH · Expert

Haha!

The reason I went for a squirrel is because browsing my photos for something taken 'around this time' the best I could find that was more than just an ordinary photo was one of a squirrel climbing down a bird feeder to get at the nuts contents. So I cropped, resized and briefly made it my avatar.

Briefly because I then remembered my 'office squirrel' picture. Not sure exactly when that was taken, but decided to switch to it.

The (avatar-ified) original:

-- Edited by VinceH on Monday 28th of May 2018 04:07:38 PM

Leger · Master Book-keeper

Cheshire wrote:
Hi Joanne, bear in mind I'm only a layman, so no sueing allowed if I've got it wrong. This is the way I view it (opposing views welcomed)

Ive not got a website so cant quote my policy on there. So I was wondering if I should have a link to it on my emails (say dropping through to dropbox link, or something better)? Or should I just add if you want a copy of my privacy policy then ask type of comment? But then do I need a general policy (slightly less specific than it is for clients....I need to re-read it!!)? I would have something like "This is our privacy policy", and then the link, will even do that myself I think, so thanks.

Also then wondering if I should set something up via Mailchimp (or again if this will be overkill). If you're not doing marketing then imo that's overkill. Payroll's the only area where I have personal information and I've covered that, and ensured my systems are reasonably secure.

Ive not yet approached all the contacts I have (clients of clients/contacts of clients/my other contacts) where I have a non general ie name@xxx.co.uk email. Should I be doing? Do you mean whilst working for a client eg joanne at clientx.co.uk? I would have thought it was up to the client to ensure they have implemented gdpr. The way I see it (I could be wrong, but GDPR is primarily about the protection of personal data, not business contacts in general. So if it's sending an invoice say, then I dont think that comes under gdpr, unless its a non business address.

Just had a thought this morning after you mentioned the password protection on docs and also given a query I saw elsewhere a few days ago, but hadnt been answered.

I have a client who issues hand written invoices (high end, 2nd hand stuff, uses margin scheme). Due to the hand written nature, multiple deposits and a pile of other factors (no you will NEVER change them!) there are often queries so I generally just photocopy the page from the invoice book and email it to them. Guess I should be password protecting that as it holds client names (and sometimes phone numbers, but not much else as the ID bits are on the reverse!)? Personally I don't think so. As I said, I'm setting up a portal to avoid sending documents by email, but I don't think it's a GDPR requirement.

Also - I invoice for one of my clients, just manually created (as not many) - so for her and this particular task Im a processor (like with wages). Mostly its to Limited companies, but always addressed to a personal contact but also contains personal details of folk/their clients - so I guess these should be p/w protected as well? If the invoices contain personal information then yes, imo.

Plus with the above - often email to sent to say accounts@ xyz eg for credit control - thats ok, no personal names. But what if I email FredBloggs@xyz for credit control.......thats classed as a personal email....so should he have had my privacy policy doc? I understand I dont need consent (legitimate interest in my case / contract in my clients case - shame I cannot rely on the latter as the LI route is harder to document etc or can I as Im just a processor and she, ie my client, SHOULD have emailed all those folk with her controller privacy doc!) Messy isn't it? I've not considered that aspect. To my mind, if its john.ross at business .co .uk then its not personal info, but maybe it is. Obviously sending to john ross at gmail dot com is a personal email address and as such personal data.

Then I also issue invoices via a 3rd party software company for another client. So again Im a processor. I checked the status of the company (Finish based so covered under GDPR and according to their GDPR policy they MAY release data to the US but its covered under Privacy Guard, so Ive had to build that in to my wording for my client, as its my software, like Moneysoft!) Invoices - B2B but all sole traders - so personal info. The invoicing software doesnt have password protection for the invoices. Should they? Or am I now supposed to email them all outwith the software and add protection? Or this now in the realms of bloody overkill! (Again my client should have sent out a privacy policy as the controller). Again I think that that's overkill. Primarily GDPR is about the protection of personal data, especially from a marketing aspect. A B2B invoice is not under GDPR unless it contains personal info. If its adressed to Joe Bloggs, home address fair enough but if its addressed to Joe Bloggs, Bloggs Commercial Home Address but its where he conducts his business from then to me that's business, with the caveat I might be wrong.

I thought of a PILE of other examples the other night that raised queries, have them written down somewhere so will have to recover them once Ive recovered from my 11th hour privacy policy authorisings!

Daft thing is - there will be a big court case brought to ram it down folks throats and make an example of some company (wonder who....hmmm), then it will all be reliant on self monitoring. Apart from some member of the public with more time on their hands than they know what to do with who will go after some company and ensure they receive a big fat fine. OK to my mind if major wrongdoings, but I fear its the little man as ever who gets beaten and the real culprits, the persistent spammers who will continue as see 4% of t/o fine as just the cost of doing business!!!
My thoughts exactly.

Can I go back to sleep now please, my brain hurts!!!!

Course you can Malcolm, which reminds me, you lot are desperately needing the answers to 1 and 2 on the quiz.

Cheshire · Master Book-keeper

Hi Vince
Good pic change I like rats with fluffy tails as long as they stay out of my loft! Although imagining Shaun doing that pose is just scary!

Agree that any post on this gets a md one different opinions and interpretation but from the right folk thats not a problem as it just opens up the thought process a bit more, even if you dont all agree, plus might ensure some fundamental stuff is not forgotten. Problem starts when you get the usual spammers jumping on the band wagon and spouting rubbish.

Thanks for the link - I tried it too and found the damned thing was broken. Best thing I found was the whole site went down for several hours on 24th May, just when folk like me needed it! Always leave things to the very last minute. But anyway the thanks again for that link as it reminded me of some of the stuff I had read in the beginning and based on what it said had made the decision that such invoices dont HAVE to be protected so decided not to, but left it up to my clients, although Im thinking now that if (when) they dont bother to read the processor agreement sufficiently then such could be missed, so think I will approach them separately and get their agreements to whatever (which might be determinded by the extra cost!)

Im assuming that you have a very good reason for not publishing a privacy policy for one of your sites. Ie its not required in the first instance.

Cheshire · Master Book-keeper

Leger wrote:
Cheshire wrote:
Hi Joanne, bear in mind I'm only a layman, so no sueing allowed if I've got it wrong.   This is the way I view it (opposing views welcomed)

Ive not got a website so cant quote my policy on there. So I was wondering if I should have a link to it on my emails (say dropping through to dropbox link, or something better)? Or should I just add if you want a copy of my privacy policy then ask type of comment? But then do I need a general policy (slightly less specific than it is for clients....I need to re-read it!!)? I would have something like "This is our privacy policy", and then the link, will even do that myself I think, so thanks.

Also then wondering if I should set something up via Mailchimp (or again if this will be overkill). If you're not doing marketing then imo that's overkill. Am also sort of thinking ahead for when sending newsletters/tax updates/additional stuff that might benefit the clients. Payroll's the only area where I have personal information and I've covered that, and ensured my systems are reasonably secure.

Ive not yet approached all the contacts I have (clients of clients/contacts of clients/my other contacts) where I have a non general ie name@xxx.co.uk email. Should I be doing? Do you mean whilst working for a client eg joanne at clientx.co.uk? No - I dont work at the clients, do it from home on my systems/software (one software ino client, but my login as I choose it and set it up! I would have thought it was up to the client to ensure they have implemented gdpr. The way I see it (I could be wrong, but GDPR is primarily about the protection of personal data, not business contacts in general. So if it's sending an invoice say, then I dont think that comes under gdpr, unless its a non business address.  There are lots for one client who use all personal data, although they are businesses, because they are sole traders. So home addresses, mobiles, gmail and the like - no way of knowing if business or not (think of it as a slight upgrade from a hobby type business)

Just had a thought this morning after you mentioned the password protection on docs and also given a query I saw elsewhere a few days ago, but hadnt been answered.

I have a client who issues hand written invoices (high end, 2nd hand stuff, uses margin scheme). Due to the hand written nature, multiple deposits and a pile of other factors (no you will NEVER change them!) there are often queries so I generally just photocopy the page from the invoice book and email it to them. Guess I should be password protecting that as it holds client names (and sometimes phone numbers, but not much else as the ID bits are on the reverse!)? Personally I don't think so. As I said, I'm setting up a portal to avoid sending documents by email, but I don't think it's a GDPR requirement.  Have you decided on a portal yet? Which one?

Also - I invoice for one of my clients, just manually created (as not many) - so for her and this particular task Im a processor (like with wages). Mostly its to Limited companies, but always addressed to a personal contact but also contains personal details of folk/their clients - so I guess these should be p/w protected as well? If the invoices contain personal information then yes, imo. Agree, so rather than pick and chose, might just be easier to do the whole bloody lot that way, but certainly need to contact my clients re this as I said to Vince.

Plus with the above - often email to sent to say accounts@ xyz eg for credit control - thats ok, no personal names. But what if I email FredBloggs@xyz for credit control.......thats classed as a personal email....so should he have had my privacy policy doc? I understand I dont need consent (legitimate interest in my case / contract in my clients case - shame I cannot rely on the latter as the LI route is harder to document etc or can I as Im just a processor and she, ie my client, SHOULD have emailed all those folk with her controller privacy doc!) Messy isn't it? I've not considered that aspect. To my mind, if its john.ross at business .co .uk then its not personal info, but maybe it is. I watched some training vids from ACCA/ICAEW/Brightpay and one of them, or somewhere in the notes Ive grabbed from other bodies it states personal name@ business had to be included/covered (with reasons for holding data/privacy pol issued/consent if its not contractual etc), but reading the notes on the ICO I think it could be considered too much, unless the item you are THEN enclosing has something in it that can id the person FURTHER. But again - just wondering if its easier to email all as then its just done!!! I could do with finding the reference for you - might do that over the next week or so if I get some time as Ive hacked up a load of the information Ive collected and bunged it on a reference doc. Strangely Ive also had a few of these emails myself eg from clients clients/contacts (eg one I get remittance advices from, insurance broker one I corresponded with - they used joanne@...... ) Obviously sending to john ross at gmail dot com is a personal email address and as such personal data.

Then I also issue invoices via a 3rd party software company for another client. So again Im a processor. I checked the status of the company (Finish based so covered under GDPR and according to their GDPR policy they MAY release data to the US but its covered under Privacy Guard, so Ive had to build that in to my wording for my client, as its my software, like Moneysoft!) Invoices - B2B but all sole traders - so personal info. The invoicing software doesnt have password protection for the invoices. Should they? Or am I now supposed to email them all outwith the software and add protection? Or this now in the realms of bloody overkill! (Again my client should have sent out a privacy policy as the controller). Again I think that that's overkill. Primarily GDPR is about the protection of personal data, especially from a marketing aspect. A B2B invoice is not under GDPR unless it contains personal info. If its adressed to Joe Bloggs, home address fair enough (they absolutely are! Or if they are possible business addresses I have no idea!) but if its addressed to Joe Bloggs, Bloggs Commercial Home Address but its where he conducts his business from then to me that's business, with the caveat I might be wrong.

I thought of a PILE of other examples the other night that raised queries, have them written down somewhere so will have to recover them once Ive recovered from my 11th hour privacy policy authorisings!

Daft thing is - there will be a big court case brought to ram it down folks throats and make an example of some company (wonder who....hmmm), then it will all be reliant on self monitoring. Apart from some member of the public with more time on their hands than they know what to do with who will go after some company and ensure they receive a big fat fine. OK to my mind if major wrongdoings, but I fear its the little man as ever who gets beaten and the real culprits, the persistent spammers who will continue as see 4% of t/o fine as just the cost of doing business!!!
My thoughts exactly.

Can I go back to sleep now please, my brain hurts!!!!

Course you can Malcolm, which reminds me, you lot are desperately needing the answers to 1 and 2 on the quiz.

Thanks John. All a right royal pain in the butt and another pile of red tape which impacts more on the small business.

VinceH · Expert

"Im assuming that you have a very good reason for not publishing a privacy policy for one of your sites. Ie its not required in the first instance."

Slight correction/misunderstanding: I haven't put a Privacy Policy on any of my sites - but published a news item on one. It's complicated because I have numerous websites and domains doing different but inter-related things.

The site in question is an OS-related news site. The news item I've put on it explains that it does not collect visitor data (there are no user log-ins other than my own). There are no cookies.

It also explains that the site has a related domain on which I run mailing (discussion) lists. For these to work, users subscribe with an email address; any message sent to the list by any subscriber is then automatically sent out to all subscribers, and appears in the list archive on the web. That's the fundamental point of mailing lists: They are, by definition, not private. So strictly speaking a privacy policy does need to be set out which explains that - but for now, the news item effectively covers it.

(The lists themselves have always followed industry best practice - which is that when a user subscribes, they are sent an email with a means to confirm their subscription; no confirmation = no subscription. That avoids third parties maliciously subscribing people to the lists).

The next related site is an 'awards' site for software/hardware related to the OS. This does collect some user data - certain information is collected (with name/email address purely voluntary) as part of each vote. I do this so when it's processed I can weed out duplicates, and deal with superseded votes - and once they are fully processed, it gets deleted. It only collects that information while the poll is on (and I ran it late, so it crossed GDPR by one day). I skipped it because of that "one day" - meh! I'll deal with that one in time for the next poll - but also because right above the field for people to enter their email address, all of that is actually explained; so there's already a privacy policy, it just isn't headed "Privacy Policy" and on a page of its very own. (And when I write one, it'll say much the same, but in longer terms and with more words.)

Then there's my Soft Rock Software sites and a couple of peripheral ones - and for these, we're back to the fact that they don't collect any visitor data.

A policy page will appear on all the sites... eventually. Meanwhile, I'm taking a relaxed approach and not getting stressed over it. Already being a tinfoil hat wearing paranoid nutjob means I should be compliant anyway - I wouldn't do with other people's data what I wouldn't want them doing with mine.

Cheshire · Master Book-keeper

VinceH wrote:
I wouldn't do with other people's data what I wouldn't want them doing with mine.

Ditto. Problem, as Ive said before, remains with those who dont share such ethics. But then the old law, the new law and anything inbetween will not deter such folk.

Leger · Master Book-keeper

I was rather gobsmacked when looking at the student sign up page on AAT last night and there was a tick box to opt out of 3rd party notifications.

No, AAT, that's totally wrong. it's opt in not opt out. That's the whole point of GDPR.

Looking at their data policy it gets worse. They keep your details for 10 years after you cease membership with some exceptions:

Your basic student records, such as name, address history, membership statuses, work experience history and other awarding bodies and practice management details will be retained for 100 years from the end of your membership to support other required reporting and professional queries

Their emphasis, not mine

What conceivable reason would they need to hold on to that info for that long?

VinceH · Expert

Quite. One of the key points with GDPR is that people have to actively give consent, not give it because of a pre-ticked box that could be overlooked.

That 100 years thing - I bet that value was put in the original text as a placeholder, while they checked the period they needed for 'required reporting' and subsequently forgot to check/change it to what it should be.

Leger · Master Book-keeper

VinceH wrote:
That 100 years thing - I bet that value was put in the original text as a placeholder, while they checked the period they needed for 'required reporting' and subsequently forgot to check/change it to what it should be.

Hmm, never thought of that, you may well be right. I was just astounded that they need to hang on to the data for that long.

Incidentally, is snail mail covered by GDPR? I've heard no mention that it is.

I heard a story today of a training body that panicked because someone had sent some student assessments off by post (which is how they always did it) but thought that's a no no now under GDPR.

Artois · Guru

Hi John

Good point about the post, I am still using it as I have not heard any different but I suppose there could be a good argument that it might not go to the right address but I don't really want to send everything by recorded delivery (not even sure if that would be ok)

Would be interesting to hear others views

VinceH · Expert

As I said further up, GDPR is written very generally and doesn't go into specifics. I don't think there's anything in it that says posted stuff has to be sent via a particular method!

That would not only be too specific for something that's supposed to be general, but people would be wondering if Royal Mail had offered up any backhanders to get something pushed through that bolstered their sales.

I don't think there's anything fundamentally wrong with posting stuff ordinarily - if it does go astray in the post, that's down to the people who take on responsibility for it once it's out of your hands. You've taken all reasonable steps if the only thing readable from the outside is the recipient's name and address: It's not down to your failure if someone else goes to the effort of intercepting and opening mail, which is a criminal offence.

Again, not something stated, but what I would suggest is that you always - ALWAYS - put a return address on the outside of the envelope. If it can't be delivered for whatever means, it has to be returned to you, and with no return address on the outside it gets opened.

Artois · Guru

VinceH wrote:
Again, not something stated, but what I would suggest is that you always - ALWAYS - put a return address on the outside of the envelope. If it can't be delivered for whatever means, it has to be returned to you, and with no return address on the outside it gets opened.

Good idea Vince whether for GDPR or not, not something I have done in the past but will certainly do so now moving forwards

Cheers

pictures · Senior Member

Leger wrote:
I was rather gobsmacked when looking at the student sign up page on AAT last night and there was a tick box to opt out of 3rd party notifications.
No, AAT, that's totally wrong. it's opt in not opt out. That's the whole point of GDPR.
Looking at their data policy it gets worse. They keep your details for 10 years after you cease membership with some exceptions:
Your basic student records, such as name, address history, membership statuses, work experience history and other awarding bodies and practice management details will be retained for 100 years from the end of your membership to support other required reporting and professional queries
Their emphasis, not mine
What conceivable reason would they need to hold on to that info for that long?

There is something called a "soft opt in" where as long as you inform customers at the time of collecting their data exactly what you will be using it for and given them the opportunity to object you can use data for legitimate business reasons without having to rely on "consent". So if you but food from Tesco online it is reasonable for them to send you emails about their offers on tomatoes but it would not be reasonable for them to try and market their insurance policies to you.

VinceH · Expert

"So if you but food from Tesco online it is reasonable for them to send you emails about their offers on tomatoes but it would not be reasonable for them to try and market their insurance policies to you."

Not sure where you get that idea, but AFAIK that's completely wrong - for one thing, a "soft opt in" along the lines you describe would be in breach of the Privacy and Electronic Communications Regulations (2003).

pictures · Senior Member

From the ICO themselves on the reams of paperwork they have on their site about GDPR. Specifically pages 40-43 of the Direct Marketing Guidance Version 2.3 updated to include GDPR. The supermarket example is given on page 42.

VinceH · Expert

*checks*

Ah, okay - that's actually talking about the PECR, and matches what I expected:

Existing customers: the soft opt-in

131. Although organisations can generally only send marketing texts
or emails with specific consent, there is an exception to this
rule for existing customers, known as the soft opt-in. This
means organisations can send marketing texts or emails if:

they have obtained the contact details in the course of a
sale (or negotiations for a sale) of a product or service to
that person;

they are only marketing their own similar products or
services; and

they gave the person a simple opportunity to refuse or opt
out of the marketing, both when first collecting the details
and in every message after that.

There's interesting phraseology there that I hadn't noticed before, and which could easily cause confusion. The opening paragraph reiterates the point about consent generally being needed, then says this is an "exception" - which makes it sound like consent is NOT needed. Read that third bullet point, though: The person has to have been given an opportunity to refuse or opt out when their details were first collected, and in every message.

That right there, is by definition consent - an annoying way to obtaining it (and I thought it had changed with GDPR), but it is consent.

It's not a case of "soft opt-in" means no consent - which is what you said ('you can use data for legitimate business reasons without having to rely on "consent"'); it's still consent, but slightly different from collecting details (without a sale happening) and asking to send emails etc.

Edit:

However, what John said was: "I was rather gobsmacked when looking at the student sign up page on AAT last night and there was a tick box to opt out of 3rd party notifications."

That is wrong. The "soft opt-in" gubbins doesn't apply to third party stuff - #133 "The contact details must be obtained directly from the individual by the organisation who wishes to engage in the marketing and the marketing must be in relation to that organisations similar products and services. Therefore the soft opt-in can only be relied upon by the organisation that collected the contact details. This means organisations cannot rely on a soft opt-in if they obtained a marketing list from a third party they will need specific consent."

Although, I note that is says 'notifications' - so I wonder if it's something a little more fundamental to the person's studies, rather than marketing. (Having never studied, I've no idea how AAT etc work).

-- Edited by VinceH on Tuesday 5th of June 2018 10:43:04 AM

pictures · Senior Member

Absolutely the "soft opt in" does not apply to third parties. I have put a notice on the signature of every single email the company sends out informing them exactly what we will do with the data and how it will be stored and giving the opportunity to refuse (there are certain things they can't object to us doing such as pass their details onto Gas Safe for legally required registrtions etc). We are also going to have to start telling customers this over the telephone.

Basically all we do (or rather our engineers) is send an email to existing customers to remind them when their annual servicing is due or their Landlord's Gas Safe certificate is about to expire.

It really would help if we wern't all working blind. My biggest issue has been other staff members where the ICO say you must NOT use consent becasue of the power balance between employer/employee. How do I make sure that its OK to give a delivery driver the mobile phone number of an engineer working on site when the driver is lost and the engineer is waiting for a delivery?

Cheshire · Master Book-keeper

Hi Julie
The email reminder comes under contract so you justify it that way.

The giving a delivery driver a mobile number scenario is an interesting one. Get round it by issuing work mobiles (not ideal just for this!).

Or shouldve been scoped out when doing your investigative work around what data is held about whom and what scenarios its used it. Then can be covered off in a document to obtain consent. Now back to the real world!!!!!!!!!! I really dont think the beaurocrats have thought this one through have they?

Its a bit like disaster planning and I bet most companies havent gone through it in that kind of level of detail. Sure as eggs are bacon, you shouldne be scoping it out as a one woman team. Grab a few bods, bit of flip chart and throw in some chocolates...amazing how many ideas of situations you might get. Although I reckon that consent document will need to be extended over time! or just get them all business mobiles.

confuse

pictures · Senior Member

Oddly some of them don't want business mobiles! They don't want the hassle of carrying two phones. It was during the data audit that I picked up on this issue.

I emailed ICO about employees and consent ooh, about 3-4 weeks ago with a specific query. Guess what, no reply yet.

Makes payroll & CIS seem like a breeze!